Documente Academic
Documente Profesional
Documente Cultură
informationsteknik
Each TCAP transaction has a timeout associated with it and use connectionless
transport.
Maguire Transaction Capabilities Application Part (TCAP) Network Signaling and CDPD:4 of 41
maguire@it.kth.se 2002.03.14 Mobile and Wireless Network Architectures
TCAP message flow for a MS registration
VLR1
MSC1 Database HLR VLR2
Database MSC2
Database
RegistrationNotification (INVOKE)
RegistrationNotification (INVOKE)
T2
RegistrationNotification (RETURN RESULT)
T1
T3 RegistrationCancellation (INVOKE)
RegistrationNotification (RETURN RESULT
RegistrationCancellation (RETURN RESULT)
RegistrationCancellation (INVOKE)
T4
RegistrationCancellation (RETURN RESULT)
QualificationRequest (INVOKE)
T5
QualificationRequest (RETURN RESULT)
ServiceProfileRequest (INVOKE)
T6
ServiceProfileRequest (RETURN RESULT)
Maguire Transaction Capabilities Application Part (TCAP) Network Signaling and CDPD:5 of 41
maguire@it.kth.se 2002.03.14 Mobile and Wireless Network Architectures
Transaction 2 - additional details
Signal Transfer Point3 (STP3) does a table lookup, i.e., Global Title Translation
(GTT) on the MIN to identify the HLRs address, then the TCAP message is
forwarded from STP3 to STP2 where the HLR is.
GTT is needed because non-geographic numbering is assumed.
Maguire TIA TSB-51: Authentication, Signaling Message Encryption and Voice Privacy Network Signaling and
maguire@it.kth.se 2002.03.14 Mobile and Wireless Network Architectures
MIN and ESN
Mobile Identification Number (MIN) - a North American Numbering Plan
(NANP) number which is the phone number of a mobile phone
Electronic Serial Number (ESN) - a 32 bit serial number programmed into the
phone at manufacture (top 8 bits identify the manufacturer)
In AMPS the MIN and ESP are tranmitted in the clear over the air - so it is easy to
listen for them and then program another phone with the same values clone
This lead to hundreds of millions of dollars of fraud TSB-51
LA info
registration request
RAND
AUTHR, ESN, MIN, RANDC, COUNT
AuthenticationRequest (INVOKE)
AuthenticationRequest (INVOKE)
AuthenticationRequest (INVOKE)
AuC verifies
AUTHR COUNT
AuthenticationRequest (INVOKE)
AuthenticationRequest (INVOKE)
AuthenticationRequest (INVOKE)
AuC verifies AUTHR
generates VPMASK, SMEKEY
Because of SSD the AuC can generate the same Voice Privacy Mask (VPMASK)
and Signaling Message Encryption Key (SMEKEY) as the mobile and passes this
information to the operator of PSC2
LA info
registration request
RAND
AUTHR, ESN, MIN, RANDC, COUNT
AuthenticationRequest (INVOKE)
AuthenticationRequest (INVOKE)
AuthenticationRequest (INVOKE)
AuC verifies
AUTHR
CountRequest (INVOKE)
CountRequest (INVOKE)
AuthenticationRequest (INVOKE)
Note that because the visited system shares the SSD it no longer has to contact the
home PCSs AuC to do generate the VPMASK and SMEKEY
Maguire When should you use WS vs. S Network Signaling and CDPD:14 of 41
maguire@it.kth.se 2002.03.14 Mobile and Wireless Network Architectures
Cellular Authentication and Voice Encryption
(CAVE) Algorithm
IS-54B - TDMA standard - includes CAVE algorithm
Computes Authentication Result (AUTHR) using SSD, ESN, MIN, a random
number (RAND).
RAND is typically updated in the system every 20 minutes and SSD is updated for
each mobile every 7 to 10 days [3].
3 of the 4 IS-54 algorithms have been broken:
David Wagner (University of California at Berkeley graduate student)
and Bruce Schneier1 & John Kelsey (both of Counterpane Systems)
announced they they had broken the Cellular Message Encryption
Algorithm (CMEA)[5] which is used to protect the control channel (for
example, dialed digits, alphanumeric pages).
Maguire Cellular Authentication and Voice Encryption (CAVE) AlgorithmNetwork Signaling and CDPD:15
maguire@it.kth.se 2002.03.14 Mobile and Wireless Network Architectures
D. Wagner, L. Simpson, E. Dawson, J. Kelsey, W. Millan, and B.
Schneier, Cryptanalysis of ORYX[6] - shows that the stream cipher
used to protect data is breakable with a plain text attack.
voice privacy depends on a XOR against a generated string - which is
generally rather easy to break
Maguire Cellular Authentication and Voice Encryption (CAVE) AlgorithmNetwork Signaling and CDPD:16
maguire@it.kth.se 2002.03.14 Mobile and Wireless Network Architectures
Further reading
TIA
[4] Yi-Bing Lin, Seshadri Mohan, Nelson Sollenberger, and Howard Sherry,
Adaptive Algorithms for Reducing PCS Network Authentication Traffic,
IEEE Transactions on Vehicular Technology, 46(3):588-596, 1997.
http://liny.csie.nctu.edu.tw/ieee-tvt94c.ps
[5] David Wagner, Bruce Schneier, and John Kelsey, Cryptanalysis of the
Cellular Message Encryption Algorithm, Crypto97, 1997.
interface P
ISDN AM
interface A
MS
portable
fixed access unit
Figure 6: PACS Architecture
non-radio service control call control (managing the B channels), switching, routing
The RPCU has to deal with inter-RPCU handoff (similar to inter-BSC handoff)
and inter-RP handoff.
Note: an AM is also located in the AIN SCP; the two interact with the ISDN/AIN
Switch providing tunneling/de-tunneling (i.e., encapsulation) of the ISDN
REGISTER messages over AIN.
Pg. 125 notes that the RPCUs could be connected via an IP network to the VLR,
thus by passing the AIN/ISDN Switch (SSP) for all non-call associated (NCA)
signalling.
Switch Switch
Switch
Switch Switch
Internet
MD-IS
MD-IS
PSDN
M-ES
MDBS
AMPS BS
AMPS PSTN
MSC
Internal F-ESs hosts within the boundaries of the CDPD network; they have access to additional internal
network data (usage accounting information, mobile location information, subscriber
authentication information,
Directory Server supports directory services within the CDPD network (could support
DNS and/or X.500)
$59.95 unlimited local usage plus 400 KB of usage in non-local areas (roaming)
$29.99 Handheld Local Unlimited Plan unlimited local usage in areas where AT&T operates
wireless data, $0.05/kbyte when roaming
$54.99 AT&Ts PC Card Local Unlimited Plan - if you load an OS other than PalmOS or Pocket PC
[9] A. Salkintzis, Packet Data over Cellular Networks: The CDPD Approach,
IEEE Communication Magazine, vol. 37, no. 6, June 1999, pp. 152-159.
[10] Sun Jong Kwon, Yun Won Chung, and Dan Keun Sung, Performance
Analysis of CDPD Sleep Mode for Power Conservation in Mobile End
Systems, IEICE Transactions on Communications, VOL. E84B, no. 10, Oct.
2001
http://cnr.kaist.ac.kr/~ywchung/paper/APCC2001sjkwon.pdf